Environment
Novell eDirectory 8.8.5 FTF 1 for All Platforms
Novell Modular Authentication Service (NMAS) version 3.3.2.2
Situation
After upgrading to NMAS 3.3.2.2, dhost or ndsd processes or
nmas.nlm regularly grow in memory consumption and lead to
frequent hangs and abends/crashes.
Resolution
To determine if you are being affected by this particular issue,
determine first if your system has users with large value counts
for the pwdFailureTime attribute. To do so, go to iMonitor,
Reports, Report Config, Value Count, enter 5000 in the Max Value
Count field and run the report.
If one or many users display a high value count for pwdFailureTime attribute, then you could be affected by this issue. The more values the attribute has, the bigger the risk of a memory buildup that could cause the server to crash before the attributes are cleaned up by the server.
In order to prevent the attribute from building up, it's possible to disable the feature that updates this attribute. This can be done on a per user basis (a schema update is necessary), by setting the attribute sasUpdateLoginInfo to 1. It can also be set for the whole server by adding a value of LoginInfo to 1 on server startup. For more information on how to do this follow the instructions on:
Since only a few users are normally affected by this, it's possible to clean up only those users with a single object repair. On Linux/Solaris the command would be:
ndsrepair -J<entryID> -Ad -sx "pwdFailureTime"
For Netware and Windows the single object repair switch is different:
dsrepair -SO<entryID> -sx "pwdFailureTime"
If one or many users display a high value count for pwdFailureTime attribute, then you could be affected by this issue. The more values the attribute has, the bigger the risk of a memory buildup that could cause the server to crash before the attributes are cleaned up by the server.
In order to prevent the attribute from building up, it's possible to disable the feature that updates this attribute. This can be done on a per user basis (a schema update is necessary), by setting the attribute sasUpdateLoginInfo to 1. It can also be set for the whole server by adding a value of LoginInfo to 1 on server startup. For more information on how to do this follow the instructions on:
https://www.novell.com/documentation/nmas33/admin/data/bg8dphs.htmlOnce the update of pwdFailureTime has been disabled, it is possible to clean up the values manually with dsrepair and the -sx switch. The -sx switch will delete all values for a particular attribute. Since eDirectory 8.8.5 FTF 1, the deletion will synchronize to other replicas. This switch should be used with extreme caution!
Since only a few users are normally affected by this, it's possible to clean up only those users with a single object repair. On Linux/Solaris the command would be:
ndsrepair -J<entryID> -Ad -sx "pwdFailureTime"
For Netware and Windows the single object repair switch is different:
dsrepair -SO<entryID> -sx "pwdFailureTime"
Additional Information
NMAS 3.3.2.2 introduces a feature that will limit the amount of
values stored in the attribute pwdFailureTime on respective user
objects. In previous versions of NMAS, this attribute is intended
to incrementally count every failed login until a successful login.
A successful login would clear the list of failed logins. NMAS
3.3.2.2 restricts the number of values for this attribute to a
maximum of 100 and deletes all the older values on the next
login.
If some users have a very large amount of values in the pwdFailureTime, for example due to a script running with invalid credentials, it is possible to cause a race condition which will cause that this large list to be read into memory for each login attempt. Depending on the amount of values and the frequency of the logins, the server may eventually run out of memory.
If some users have a very large amount of values in the pwdFailureTime, for example due to a script running with invalid credentials, it is possible to cause a race condition which will cause that this large list to be read into memory for each login attempt. Depending on the amount of values and the frequency of the logins, the server may eventually run out of memory.